Multi region routing

Introduction

At the beginning of the Digital Factory, the Trustnest platform was based on Pivotal Cloud Foundry, deployed only in the Azure West Europe region. The deployment of the overall platform had been done around this region.

From 2022, Thales is accelerating its move to cloud strategy, pushing new engineers to use Trustnest platform, from new places: India, Australia, Canada.

Even if the most part of the Managed Cloud Services can be deployed in any azure region, a major capability is missing:

Interconnection between services that are not located in the same region

This capability is crucial to think about multi region services. For instance: having a multi region Software Based Solutions requires replication mechanisms.

The purpose of this documentation is to explain the high level design and how you can benefit from this service.

High Level Design

Region & Secured Hub

(not yet available -> under deployment)

Target:

having a secured hub deploy in Singapore Region to cover APAC need
Provide routing between Singapore Hub and Amsterdam Hub
Have "local" interconnection in region: Amsterdam Hub from/to RIE FR + Singapore Hub from/to RIE Singapore

Technical assets

The next diagram describes how the interconnection works:

Routing Supported

Standard network to/from Corporate network

Standard environment are isolate from Corporate environment. This isolation is enforced. It's not possible to enable routing through the hub (technical limitation).

* means: flows to internet are allowed in outbound for corporate envionment. So you can access from corporate enviroment to a standard environment by using internet exposed endpoint.

Landing zone to/from core-services

The routing is enabled by default between any landing zone and a core-service. It's also the case between core-services.

The routing is not enabled by default between two landing zones. Rational: for security reason, we would like to limit a blast radius if a security incident occurs in a customer landing zone.

Look at the HOWTO section to discover how to ask for a routing between landing zones

EUROPE and/to APAC

Between regions, the routing follows the same design/pattern previous explained.

Look at the HOWTO section to discover how to ask for a routing between landing zones located in different regions.

HOWTO

HOWTO enable routing between a landing zone and a core-service ?

Nothing ! This routing is enabled by default

HOWTO enable routing between 2 landing zones ?

This flow is forbidden by default:

To enable this flow, you should ask a "Request Flow modification (new Allow/Deny rule)" with postIT.

link: Request Flow modification (new Allow/Deny rule)

Prerequisites: make sure you can fill the following fields:

Next Steps

Ask a corporate landing zone in APAC to test the flows between regions ! postit link

Introduction​

High Level Design​

Region & Secured Hub​

Technical assets​

Routing Supported​

Standard network to/from Corporate network​

Landing zone to/from core-services​

EUROPE and/to APAC​

HOWTO​

HOWTO enable routing between a landing zone and a core-service ?​

HOWTO enable routing between 2 landing zones ?​

Next Steps​